| Table of Contents |
|---|
2024-0712-24
| Info |
|---|
Rolling out throughout July 24th, 2024. |
31
| Status | |
|---|---|
|
...
|
...
|
...
Receiving sharing links from third parties has been the cause of many concerns due for phishing. We’ve added a new Caution Threat Category called External Sharing Link. This category will currently work against SharePoint and OneDrive shared objects but will expand to other third-party services in the future.
The protection will be enabled by default but will not contain any “Trusted” Microsoft tenants.
...
For Microsoft Tenants that you DO NOT wish to receive an External Sharing Link warning you can simply add their tenant’s name in the “Do not warn about the following trusted Microsoft tenant domains” multi-box and it will suppress the External Sharing Link threat category for that tenant.
The tenant’s name is the subdomain of the tenant address found within an M365 system that ends in .onmicrosoft.com for example, polvocapital.onmicrosoft.com - polvocapital would be entered in the multi-box to suppress the External Sharing Link threat category for Polvo Capitals tenant.
The External Sharing Link threat category by itself is just a caution banner, however, if it’s coupled with additional categories, such as First-Time Sender, it’ll push towards being a dangerous message more quickly than previously. It’s also possible that the External Sharing Link threat category rises to a Danger threat level by itself if it’s coupled with raw suspicious text, such as Contract Bid, Quote Request, Secured Document or other similar terms that are more frequently used in phishing attempts.
...
Burst Detection
Burst Detection will gradually roll out. If you are under a Burst Attack—often referred to as a Spam Bomb, Subscription Attack, Email Bomb, Email Flood Attack, or Email Storm—please reach out to support@inky.com to have this feature enabled specifically for your team or organization.
INKY introduces Burst Detection, a powerful new feature to help administrators detect and respond to sudden surges in email volume targeting specific recipients over a short period. These bursts can be part of a strategy to overwhelm or distract users, often paired with unsolicited tech support calls or other suspicious offers to help “resolve” the issue.
Configuration can be found on: https://app.inkyphishfence.com/settings/analysis and for our customers that utilize Organizations to manage many teams this setting can be inherited from the Organization profile.
| Status | ||||
|---|---|---|---|---|
|
Found at the bottom of https://app.inkyphishfence.com/settings/api-access for a given team you’ll find an option to enable or disable Delegated Access to Tenant Mail Content.
When Delegated Mail Content Access is enabled, parent and ancestor organization administrators will be authorized to access sensitive mail content within your tenant, such as the body of the mail. Note that this applies only to administrators who can remediate mail (Policy Admin, Super Admin).
To modify this section, you must be signed in as an administrator with mail content permissions on the team's tenant and have Directory and Remediation API Access granted.
This is not the MSP admin account but the end customers admin account.
...
| Status | ||||
|---|---|---|---|---|
|
When adding an action to an Outbound Mail Protection rule you can select the Cog Icon to customize the action setting. This action configuration now allows you to include read receipts when sending encrypted messages.
As an admin navigate to https://app.inkyphishfence.com/settings/outbound and configure your specific rule and when you add the encryption action you can select “Send Read Receipts”
...
When an end user opens an encrypted email by navigating through the login process the sender of the encrypted email will receive the below Email Encryption message view notification.
...
| Status | ||
|---|---|---|
|
Adding a readable action summary to the Outbound Mail Protection rule editor gives admins more visibility on the exact actions that are selected.
...
| Status | ||
|---|---|---|
|
If your team utilizes Cybsafe on the https://app.inkyphishfence.com/settings/phishing-awareness-training we’ve updated the matching algorithm to ensure we identify their phishing training emails. No action is required if the Cybsafe provide is already selected.
| Status | ||||
|---|---|---|---|---|
|
There may have been times, when scrolling through large list of messages on the message list view within the Observations Page or Custom Dashboard. We’ve implemented a fix that should resolve this issue but if you continue to experience it, please reach out to support@inky.com.
Learn more here: Burst Detection
| Info |
|---|
You can configure Burst Detection at either the team level or the organization level to apply consistent detection parameters across all teams. Any team-level setting will override the organization-level values. |
With the new Burst Detection feature, administrators can configure:
Burst Interval (seconds)
Define a time window — for example, 300 seconds — within which to measure a surge in email volume.Message Threshold
Set the minimum number of messages (e.g., 20) needed to trigger detection of a burst in that time interval.Burst Mode Cache Duration (seconds)
Keep a recipient in “burst mode” for a set duration after the initial burst detection to ensure continued protection, even if the volume temporarily dips.Ignore Senders/Recipients for Burst Detection
Specify email addresses or domains that should never trigger or be flagged as part of a burst (useful for high-volume internal senders or privileged services).Result Bucket
Choose the category (e.g., “Caution (Spam)”) that INKY assigns when a message is detected as part of a burst.Delivery Target
Override the delivery action (e.g., route to “Junk Folder”) for burst-detected messages.Exclude Internal or Trusted 3rd Party Messages
Automatically skip internal or trusted third-party messages from burst calculations.Exclude Known External Messages
Similarly, skip known external, trusted contacts from contributing to burst detection.
...
How It Works
When a sudden surge in email volume meets or exceeds the specified “Message Threshold” within the configured “Burst Interval,” the target recipient is immediately considered in “burst mode.” Messages are flagged under the “Suspicious Mail Burst” threat category, and INKY will apply the configured result bucket and delivery target for the duration of the “Burst Mode Cache.”
Use Burst Detection to protect against potential social engineering attacks that rely on message spamming, or to stay alert when a specific user suddenly becomes a high-volume email target.
For more information on setting up or fine-tuning Burst Detection, refer to your INKY documentation or contact your INKY support representative.
| Status | ||
|---|---|---|
|
Found within the Dashboard Widget Filter Editor under Analysis → Brand Impersonation is a new capability to filter messages based on the detected brands domain. Selecting a specific brand’s domain or multiple brand domains will retrieve a list of messages that INKY has identified as Brand Impersonation based on the brand selected.
...
| Status | ||
|---|---|---|
|
With this update, hovering over the From and Reply-To email addresses in a message header will display a popup rendering the address in a mono-font and lowercase. This design improvement helps users quickly identify confusable characters and spot potential phishing attack vectors with greater ease.
...
| Status | ||
|---|---|---|
|
We've added concise, helpful descriptions to some of the less obvious filters in the Filter Editor. For example, the Brand Impersonation Filter now includes guidance on detecting impersonations based on a brand's primary domain. These updates make it easier to understand and configure filters for your security needs.
...